escape html in terminal (sveltejs#267)

Co-authored-by: Rich Harris <[email protected]>

Author: Rich-Harris

src/lib/client/adapters/webcontainer/index.js

@@ -1,7 +1,7 @@
 import { WebContainer } from '@webcontainer/api';
 import base64 from 'base64-js';
 import AnsiToHtml from 'ansi-to-html';
-import { get_depth } from '../../../utils.js';
+import { escape_html, get_depth } from '../../../utils.js';
 import { ready } from '../common/index.js';
 
 const converter = new AnsiToHtml({
@@ -59,7 +59,7 @@ export async function create(base, error, progress, logs) {
 					// clear screen
 					logs.set([]);
 				} else {
-					const log = converter.toHtml(chunk);
+					const log = converter.toHtml(escape_html(chunk));
 					logs.update(($logs) => [...$logs, log]);
 				}
 			}

src/lib/server/markdown.js

@@ -4,6 +4,7 @@ import 'prismjs/components/prism-diff.js';
 import 'prismjs/components/prism-typescript.js';
 import 'prism-svelte';
 import { marked } from 'marked';
+import { escape_html } from '$lib/utils';
 
 const languages = {
 	bash: 'bash',
@@ -17,18 +18,6 @@ const languages = {
 	'': ''
 };
 
-/** @type {Record<string, string>} */
-const chars = {
-	'&': '&amp;',
-	'<': '&lt;',
-	'>': '&gt;'
-};
-
-/** @param {string} html */
-function escape(html) {
-	return html.replace(/[&<>]/g, (c) => chars[c]);
-}
-
 const delimiter_substitutes = {
 	'+++': '             ',
 	'---': '           ',
@@ -84,7 +73,7 @@ const default_renderer = {
 
 				return {
 					type,
-					content: escape(content)
+					content: escape_html(content)
 				};
 			});
 
@@ -99,7 +88,7 @@ const default_renderer = {
 			const plang = languages[lang];
 			const highlighted = plang
 				? PrismJS.highlight(source, PrismJS.languages[plang], language)
-				: escape(source);
+				: escape_html(source);
 
 			html = `<div class="code-block">${
 				options.file ? `<span class="filename">${options.file}</span>` : ''

src/lib/utils.js

@@ -2,3 +2,15 @@
 export function get_depth(name) {
 	return name.split('/').length - 1;
 }
+
+/** @type {Record<string, string>} */
+const chars = {
+	'&': '&amp;',
+	'<': '&lt;',
+	'>': '&gt;'
+};
+
+/** @param {string} html */
+export function escape_html(html) {
+	return html.replace(/[&<>]/g, (c) => chars[c]);
+}